Some sort of infection - via either Network or multiple PC Devices

I have never seen a virus like this before.

 Hey everyone, I'm very convinced that I have some sort of virus on either my Network or my PC, or both. Not just any simple "Wipe the OS" virus. I am posting here because I have no idea where else to get help, if anyone can help me pinpoint what exactly is infected and how to restart from fresh, I would really appreciate it.

So to start, the reason why I am convinced I'm hacked is firstly because I was 100% evidently losing my accounts to someone changing passwords, I had a RAT of some sort on my pc for a bit and I had constant attempts of other RATs being installed on other pc's, I'm not sure how, maybe via network? The reason why it's so hard to pinpoint what is infected now is because they're very sneaky. I've brought it to one computer guy in my town already, and he couldn't find anything and just said to replace the power supply, and did an OS wipe of his own, unsure if he did a low-level wipe but he talked about it. However, faulty power supplies don't change emails and passwords. So, I decided I'll have to try to figure this out on my own account, but I do not know enough in this area of security, so I thought I definitely need some help here.

So to start, the attackers like to do things when I leave my PC alone, and I come home to constant event viewer logs of credential enumerations and special logins. I also have run wire shark tests and see there are some suspicious IP's sending info from my IP address to theirs. A test for 6 hours away from my pc came up with 2 million packets sent, Not sure if that's normal or not,

 And if all these things are sketchy enough, it seems that all of my PC's (3 in total) seem to have become infected now, which makes me think there's some sort of root kit infection or something deeper than a normal malware or virus, as I have tried reflashes of the BIOS, reset the OS countless times and still I am finding traces of suspicious activity. I'm thinking either my net-gear switch that provides access to my ISP's services (two separate networks branched off into two different routers via the net-gear switch.) Or it might just be my router that is infected although I'm leaning more on my switch being compromised, as both routers were compromised before already. So, I purchased two new routers, which also got compromised, then I purchased two more new routers for the networks and plugged them into a new switch that my ISP replaced with the compromised one. I think that helped a bit along with getting that computer guy to look at it a bit, but I'm convinced I am still infected. 

Another reason I am convinced it's not over yet is because, at various times my internet will start seeming receive high amounts of packets, almost like a timed released sort of attack, (usually through NetBIOS) and my internet will go crazy slow. On my routers in the past that were infected I'd just straight up be getting DDOSed and the router logs would send me scans of DDOS attacks with certain IP addresses that it was receiving the threat from. Now the Wireshark reports, link back to those same IP addresses which is what worries me. Most of the IP's I've tried to track back lead to cloud networks so no give there.

The biggest difficulty that this attack has caused is because ever since this hack, my Sim-racing hardware is literally destroying itself, and seems to get corrupted every single time I plug it into any of my pc's. (for anyone who doesn't know what a Sim-racing device is, it's basically a wheelbase motor powered device communicating with firmware delivered back and fourth through a USB device plugged into my PC. It is the main communicator with my PC and has been plugged in to two of my PC's back and forth, during the infection. I've already tested my power and electricity, so we can move that out of the way, I don't know what the attackers are up to and how much access they have now since I've purchased new hardware and stronger secure network devices but the logs report there's still some corruption or infection. And as for my PC's they are clearly still corrupting my Sim-racing hardware somehow. I've bought 3 or 4 different wheelbases in this time, all have been corrupted.

I just bought a "Thrustmaster T300 RS" after all was said and done and I thought the proper remedies were taken to clear the infection and go back to normal, and that device was quickly corrupted and destroyed as I plugged it into what we'll call "PC: B" and then tried to plug into "PC: A," which also did allow the wheelbase device to function properly. So that's when I started looking into this more again, and realized I'm probably not clear and don't want to purchase another PC nor wheelbase until I know it's not going to just become infected like the rest.

this is the main reason I am here now; I'm just asking if someone can help me target the gateway to this attack and find the leading cause to this problem. Then I'm willing to buy a new PC and start fresh so i can do what I am passionate about again. I just don't want to buy a new PC for it to just get corrupted as soon as it goes through my network if that is the cause of this.

It's been a frustrating process because I love Sim-racing and ever since I've been hacked, I can no longer enjoy that and do that. Thank you to anyone who has read this far, and I would appreciate any support.

-GS

For anyone who is wondering how this started, my old childhood friend sent me a link to buy an account for windows 11 to help him with a Minecraft server (like the old days) big mistake, but it was off a site called G2G, which I had mistaken for G2A, and anyway, bought the account, signed in, it asked for authorization permissions to files or something like that, and me being tired that night and in a rush didn't even read what it said and hit allow. This is how this all started, and this was back in December of 2022. Yes, this has affected me this long. That's why I am here. Yes, I know I'm not smart for that action, and I will always be very careful now, and buy Minecraft properly.

Edited by grindsetnmw, 15 April 2024 - 02:06 PM.

Welcome 
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

• Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
• First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
• Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
• Please read ALL instructions carefully and perform the steps fully and in the order they are written.
• If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
• Continue to read and follow my instructions until I tell you that your machine is clean.
• If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
• Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. 

Let's begin... 

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Please rename FRST.EXE or FRST64.EXE to FRSTEnglish.exe
• After renaming the file right-click over FRSTEnglish.exe and select "Run as administrator"
• When the tool opens click Yes to the disclaimer if this is the first time using the tool
• Make sure there is a check mark in the Addition.txt check box
• Press the Scan button.
• It will make a log FRST.txt and Addition.txt in the same directory the tool is run from. Please attach both logs to your next reply.

Okay, I will start here for a foundation, I do want to ask though, should I do the exact same on all my computers that have been infected? As I have 3 computers with the same symptoms although the first PC that was infected was "PC A" , there are 3 in total: "PC A", "PC B", and "PC C."

Okay sounds good, I will have a look at this either tomorrow or the next day, whichever day I can find some time between work, I will get back to you soon with some results, thank you.

Okay here it is, I will send the logs below. Thank you.

There is no aparent infection in this computer.
 
This Fix will empty the following folders:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.
The system will be rebooted after the fix has run.
 
C:\Users\Matt 2\Desktop\Farbar\FRSTEnglish.exe.exe

• Download the enclosed file   Fixlist.txt   14.88KB   1 downloads
• Save it in the same location FRST64.exe is saved 
• Start FRST (FRST64) with Administrator privileges 
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply. If too long, use an online service such as www.wetransfer.com.
 
Dr.Web CureIt!
Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/
 
You will need to send them an email to obtain a link to download the scanner, please do so
 

• The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
• Close all open applications and locate the downloaded file and double-click to run it
• The program will take a moment to launch and bring up the License and Update screen
• Place a check mark to agree to the terms and then click on the Continue button
• Click the underlined link Select objects for scanning
• On the top left click the Scanning objects that should automatically check all objects
• Click the small wrench and make sure there is a check on Automatically apply actions to threats
• Then click the large button on bottom right Start scanning
• Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
• The log is saved in the folder named Doctor Web in the top of your user profile folders
• Please attach that log on your next reply

Are you still with us?